Contents

Introduction

The Cisco ASA 5500 series adaptive security appliance delivers unprecedented levels of defense against threats to the network with deeper web inspection and flow specific analysis, improved secure connectivity through end-point security posture validation and voice and video over VPN support. It also provides enhanced support for intelligent information networks through improved network integration, resiliency, and scalability. This release introduces enhancements to the following areas: firewall services, and management/monitoring.

For more information on all the new features, see New Features, page 3.

Additionally, the Cisco ASA 5500 series adaptive security appliance software supports Adaptive Security Device Manager. ASDM is a browser-based, Java applet used to configure and monitor the software on the security appliances. ASDM is loaded from the adaptive security appliance, then used to configure, monitor, and manage the device.

System Requirements

The sections that follow list the system requirements for operating a Cisco ASA 5500 series adaptive security appliance. This section includes the following topics:

New Features

EtherType ACLs have been enhanced to allow non-standard MACs. Existing default rules are retained, but no new ones need to be added.

Also available in Version 7.2(4) and 8.0(4).

Remote Access Features

Local Address Pool Edit

Address pools can be edited without affecting the desired connection. If an address in use is not being eliminated from the pool, the connection is not affected. However, if the address in use is being eliminated from the pool, the connection is brought down.

Also available in Version 7.2(4) and 8.0(4).

Connection Features

clear conn Command

The clear conn command was added to remove connections.

Also available in Version 7.2(4) and 8.0(4).

Fragment full reassembly

The fragment command was enhanced with the reassembly full keywords to enable full reassembly for fragments that are routed through the device. Fragments that terminate at the device are always fully reassembled.

Also available in Version 7.2(4) and 8.0(4).

Troubleshooting and Monitoring Features

capture command Enhancement

The capture type asp-drop drop_code command now accepts all as the drop_code, so you can now capture all packets that the adaptive security appliance drops, including those dropped due to security checks.

Also available in Version 7.2(4) and 8.0(4).

show asp drop Command Enhancement

Output now includes a timestamp indicating when the counters were last cleared (see the clear asp drop command). It also displays the drop reason keywords next to the description, so you can easily use the capture asp-drop command using the keyword.

Also available in Version 7.2(4) and 8.0(4).

clear asp table Command

Added the clear asp table command to clear the hits output by the show asp table commands.

Also available in Version 7.2(4) and 8.0(4).

show asp table classify hits Command Enhancement

The hits option was added to the show asp table classify command, showing the timestamp indicating the last time the asp table counters were cleared. It also shows rules with hits values not equal to zero. This permits users to quickly see what rules are being hit, especially since a simple configuration may end up with hundreds of entries in the show asp table classify command.

•no memory tracking enable-This command disables tracking of heap memory requests, cleans up all currently gathered information, and returns all heap memory used by the tool itself to the system.

•clear memory tracking-This command clears out all currently gathered information but continues to track further memory requests.

•show memory tracking-This command shows currently allocated memory tracked by the tool, broken down by the topmost caller function address.

•show memory tracking address-This command shows currently allocated memory broken down by each individual piece of memory. The output lists the size, location, and topmost caller function of each currently allocated piece memory tracked by the tool.

•show memory tracking dump-This command shows the size, location, partial callstack, and a memory dump of the given memory address.

•show memory tracking detail-This command shows various internal details to be used in gaining insight into the internal behavior of the tool.

Also available in Version 7.2(4) and 8.0(4).

Failover Features

failover timeout Command

The failover timeout command no longer requires a failover license for use with the static nailed feature.

Also available in Version 7.2(4) and 8.0(4).

Usability Features

show access-list Output

Expanded access list output is indented to make it easier to read.

Also available in Version 7.2(4) and 8.0(4).

show arp Output

In transparent firewall mode, you might need to know whether an ARP entry is statically configured or dynamically learned. ARP inspection drops ARP replies from a legitimate host if a dynamic ARP entry has already been learned. ARP inspection only works with static ARP entries. The show arp command now shows each entry with its age if it is dynamic, or no age if it is static.

Also available in Version 7.2(4) and 8.0(4).

show conn Command

The syntax was simplified to use source and destination concepts instead of "local" and "foreign." In the new syntax, the source address is the first address entered and the destination is the second address. The old syntax used keywords like foreign and port to determine the destination address and port.

Important Notes

This section lists important notes related to Version 7.0(8).

Common Criteria EAL4+

For information on common criteria EAL4+, see the Installation and Configuration for Common Criteria EAL4 Evaluated Cisco Adaptive Security Appliance, Version 7.0(6)document.

FIPS 140-2

Cisco ASA 5510, 5520, and 5540 adaptive security appliances are FIPS 140-2, Level 2 validated. You can view the official certificate (#655) via the following URL:

Features not Supported in Version 7.0

MIB Supported

Downgrade to Previous Version

To downgrade to a previous version of the operating system software (software image), use the downgradecommand in privileged EXEC mode. For more information and a complete description of the command syntax, see the Cisco Security Appliance Command Reference.

Caveats

The following sections describe the caveats for the Version 7.0(8).

For your convenience in locating caveats in Cisco's Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:

•Commands are in boldface type.

•Product names and acronyms may be standardized.

•Spelling errors and typos may be corrected.

Note If you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website:

security-association lifetime cannot be removed with no crypto map ...

CSCso81153

Yes

Traceback in dispatch unit with MGCP inspection

CSCso82264

Yes

ASA: icmp inspection may drop icmp error packets

CSCso84996

Yes

ASA truncates CN field at 11 characters if CN contains '@' (W2K CA)

CSCso85452

Yes

h323 messages on console; performance degrade

CSCso87435

Yes

NAT-T not working when client source port not 4500 with ACL match

Related Documentation

For additional information on the Cisco ASA 5500 series adaptive security appliance, see the following URL on Cisco.com: http://www.cisco.com/en/US/products/ps6120/tsd_products_support_series_home.html

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0711R)